Artem Smotrakov artem-smotrakov
☘️
artem-smotrakov
/ RunExpressionJuel.java
Created
April 14, 2021 07:41
Example of evaluating an expression with JUEL
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| public static Object evaluate(String expression) { | |
| ExpressionFactory factory = new de.odysseus.el.ExpressionFactoryImpl(); | |
| ELContext context = new de.odysseus.el.util.SimpleContext(); | |
| ValueExpression e = factory.createValueExpression(context, expression, Object.class); | |
| return e.getValue(context); | |
| } |
artem-smotrakov
/ ExpressionEvaluationSink.ql
Created
April 14, 2021 07:10
Jakarta EL sinks for detecting EL injections with CodeQL, see also https://github.com/github/codeql/pull/5471
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| private class ExpressionEvaluationSink extends DataFlow::ExprNode { | |
| ExpressionEvaluationSink() { | |
| exists(MethodAccess ma, Method m, Expr taintFrom | | |
| ma.getMethod() = m and taintFrom = this.asExpr() | |
| | | |
| m.getDeclaringType() instanceof ValueExpression and | |
| m.hasName(["getValue", "setValue"]) and | |
| ma.getQualifier() = taintFrom | |
| or | |
| m.getDeclaringType() instanceof MethodExpression and |
artem-smotrakov
/ JakartaExpressionInjectionConfig.ql
Created
April 14, 2021 07:05
CodeQL config for detecting Jakarta EL injections, see https://github.com/github/codeql/pull/5471 for details
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| class JakartaExpressionInjectionConfig extends TaintTracking::Configuration { | |
| JakartaExpressionInjectionConfig() { this = "JakartaExpressionInjectionConfig" } | |
| override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } | |
| override predicate isSink(DataFlow::Node sink) { sink instanceof ExpressionEvaluationSink } | |
| override predicate isAdditionalTaintStep(DataFlow::Node fromNode, DataFlow::Node toNode) { | |
| any(TaintPropagatingCall c).taintFlow(fromNode, toNode) or | |
| hasGetterFlow(fromNode, toNode) |
artem-smotrakov
/ UnsafeSpringExporterInXMLConfiguration.ql
Last active
March 25, 2021 12:45
A CodeQL query for detecting unsafe Spring service exporters in XML configurations
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import java | |
| import semmle.code.java.frameworks.spring.SpringBean | |
| /** | |
| * Holds if `type` is `RemoteInvocationSerializingExporter`. | |
| */ | |
| predicate isRemoteInvocationSerializingExporter(RefType type) { | |
| type.getASupertype*() | |
| .hasQualifiedName("org.springframework.remoting.rmi", "RemoteInvocationSerializingExporter") | |
| } |
artem-smotrakov
/ UnsafeSpringExporterInConfigurationClass.ql
Created
March 25, 2021 12:43
A CodeQL query for detecting unsafe Spring exporters in String configuration
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import java | |
| import UnsafeSpringExporterLib | |
| /** | |
| * Holds if `type` is `RemoteInvocationSerializingExporter`. | |
| */ | |
| predicate isRemoteInvocationSerializingExporter(RefType type) { | |
| type.getASupertype*() | |
| .hasQualifiedName("org.springframework.remoting.rmi", "RemoteInvocationSerializingExporter") | |
| } |
artem-smotrakov
/ beans.xml
Created
March 25, 2021 12:22
An example of a vulnerable HTTP endpoint based on HttpInvokerServiceExporter (CVE-2016-1000027)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8"?> | |
| <beans xmlns="http://www.springframework.org/schema/beans" | |
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
| xmlns:context="http://www.springframework.org/schema/context" | |
| xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd | |
| http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd"> | |
| <bean id="accountService" class="com.gypsyengineer.server.AccountServiceImpl"/> | |
| <bean name="/account" class="org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter"> |
artem-smotrakov
/ UnsafeHttpInvokerServiceExporter.java
Created
March 25, 2021 12:19
An example of a vulnerable HTTP endpoint based on HttpInvokerServiceExporter (CVE-2016-1000027)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @Configuration | |
| class Server { | |
| @Bean(name = "/account") | |
| HttpInvokerServiceExporter accountService() { | |
| HttpInvokerServiceExporter exporter = new HttpInvokerServiceExporter(); | |
| exporter.setService(new AccountServiceImpl()); | |
| exporter.setServiceInterface(AccountService.class); | |
| return exporter; | |
| } |
artem-smotrakov
/ JexlEvaluationSink.ql
Created
February 17, 2021 13:40
JEXL sinks for detecting JEXL injections with CodeQL
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| private class JexlEvaluationSink extends DataFlow::ExprNode { | |
| JexlEvaluationSink() { | |
| exists(MethodAccess ma, Method m, Expr taintFrom | | |
| ma.getMethod() = m and taintFrom = this.asExpr() | |
| | | |
| m instanceof DirectJexlEvaluationMethod and ma.getQualifier() = taintFrom | |
| or | |
| m instanceof CreateJexlCallableMethod and ma.getQualifier() = taintFrom | |
| or | |
| m instanceof JexlEngineGetSetPropertyMethod and |
artem-smotrakov
/ JexlInjectionConfig.ql
Last active
February 17, 2021 13:27
CodeQL config for detecting JEXL injections, see https://github.com/github/codeql/pull/4965/files for details
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| class JexlInjectionConfig extends TaintTracking::Configuration { | |
| JexlInjectionConfig() { this = "JexlInjectionConfig" } | |
| override predicate isSource(DataFlow::Node source) { | |
| source instanceof RemoteFlowSource | |
| } | |
| override predicate isSink(DataFlow::Node sink) { sink instanceof JexlEvaluationSink } | |
| override predicate isAdditionalTaintStep(DataFlow::Node fromNode, DataFlow::Node toNode) { |
artem-smotrakov
/ SandboxedJEXL.java
Last active
February 17, 2021 12:36
Run JEXL expressions in a sandbox implemented with JexlUberspect
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| void runJexl(String jexlExpr) { | |
| JexlUberspect sandbox = new JexlUberspectSandbox(); | |
| JexlEngine jexl = new JexlBuilder().uberspect(sandbox).create(); | |
| JexlExpression expression = jexl.createExpression(jexlExpr); | |
| JexlContext context = new MapContext(); | |
| expression.evaluate(context); | |
| } | |
| private static class JexlUberspectSandbox implements JexlUberspect { |